Dave Trader, chief security officer at GalaxE.Solutions, a health care IT-focused firm based in downtown Detroit, spoke with DBusiness Daily News about what companies, both big and small, can learn from the recent data breach at Anthem, an Indianapolis-based for-profit managed health care company in the Blue Cross and Blue Shield Association.
1. DDN: What is the take-away from the Anthem breach?
DT: Anthem is the second largest health care provider in the country, and (earlier this month, the company announced) its personal health information records had been breached. There’s been an ongoing investigation as to the depth of that breach and what was compromised, but potentially, the hackers have the ability to publish that information on the Internet.
2. DDN: What lesson does this serve for other companies and small businesses?
DT: It can be easy to look at the news of data breaches like this one and think, “Man, I’m just a small company, and this big company can’t even handle the task.” It’s daunting. But there are key things you can do to make it harder for these hackers, which is key. You make it difficult enough where they just pass. It’s kind of like leaving your door open at home. If a burglar walks by and sees an open door, that’s a pretty clear sign that he’s going to be able to get in. It’s the same thing with computer security. If you’ve got enough security layered on, the hackers will move on to find an easier target.
3. DDN: Would antivirus software be sufficient?
DT: A lot of times, smaller businesses feel like they’re protected by just using antivirus software. But they need to make sure their firewalls are properly configured with some type of automated detection system. There are different price points based on the size of the company — you might not need to have as robust a system as Anthem — but you want to have something in place.
Whatever route you take for security, you have to have as much automation built in as possible because you’re literally dealing with a million firewall instances daily. You can’t put eyeballs on that; you have to have an automated solution that can alert you when something malicious comes through.
4. DDN: What best practices do you recommend?
DT: You want to have someone else review your system for you, an annual audit that says where you can improve and where you’ve done a good job. It’s good to rotate (the third-party vendor) you use each year to check your system. That way, you don’t fall into the rut of using the same company who’s used to your environment and might overlook things (as a result of that).
5. DDN: What steps can a company take if it experiences a data breach?
DT: Well, and I think this is what Anthem is doing now, they should do a root cause analysis, or an RCA. It’s where you go back to figure out where the leak is and how (the hackers) got through the door. So you do that root cause analysis and then take remediation steps to address (the issue). And you keep doing that, and then you start over. You assess, then remediate, and then assess again. And you keep doing that until you’re able to prove through every step that you’ve done your due diligence and that everything is in place and meets industry standards and best practices.​
